Security issues with Front End Server in a DMZ?

We currently have a Front End/Back End Exchange configuration which resides completely behind a firewall.  It seems we are having to evaluate the option of sticking the FE server out in the DMZ for direct access to POP, IMAP, etc.  

*Currently, all users access the corporate network via VPN for access to Exchange mail.  Performance (speed) and accessibility issues have been expressed by a number of our users when connecting in this manner.

If we were to only to open the secure ports ->
443 - HTTP (SSL)
993 - IMAP4 (SSL)
995 - POP3 (SSL)
...what are the obvious security risks?

 It appears to be a infrastructure design practice preached by MS and just need to be well-informed about any security before implementing.  The FE is NOT a GC and has no mailbox store mounted...

thanks for any insight!
Who is Participating?
trywaredkConnect With a Mentor Commented:
Improving the Security of PST Files;en-us;143241

Downloading and Using the Security Configuration Manager Tool:;en-us;245216

Stress Tools to Test Your Web Server:;en-us;231282

WebCast: Using the Microsoft Security Tool Kit to Get and Stay Secure;en-us;324892

Microsoft Baseline Security Analyzer

Maximum Windows 2000 Security

List of known Trojan/Backdoors and the TCP/UDP ports on which they operate

Many Regards
Jorgen Malmgren

:o) Your brain is like a parachute. It works best when it's open

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

davisAuthor Commented:
Lots of good resources here - thanks!

To quote an excerpt from your 2nd posted link:
"Just about any firewall will allow packet and port filtering in order to protect your network and Exchange environment. While this is a good start for protecting your servers, it falls short of complete protection since you have to open ports to allow access to the data in your private network. For example, port 25 must be opened to allow for SMTP traffic, port 80 for HTTP."

...with the FE in a perimeter zone (between two firewalls), as shown in the diagram, is the internal network still at risk?  Unclear what can be at risk - the FE, the BE (back-end), or both.

thanks for any clarification!!
I did'nt stydy it all, but the solution is here:

Microsoft Exchange 2000 Server Front-End and Back-End Topology
 Advantages of a Front-End and Back-End Server Environment
 How Front-end and Back-end Topology Works
 Deployment Considerations
 Configuring a Front-End Server
 Configuring a Back-End Server
 Configuring Firewalls
 Front-end and Back-end Topology Checklist
 Front-end and Back-end Topology Troubleshooting Steps
 Additional Resources
SoftScan puts an end to virus and spam threats from the Internet
Remember to have a different/difficult password for the administrator on the FE server, than on the BE and the rest of your servers, and setup auditing on FE

HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:;en-us;Q300549&sd=tech

Windows 2000 Server Security Guidelines - Audit acconts

EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database
davisAuthor Commented:
I have used the 'maintain'article quite a bit  - kind of a bible.

I think I found the answer in the article you posted earlier :

Also found elsewhere, it stated :
"For security reasons, you don't want to install a front-end server in a DMZ.
Why?  Because you have to open up a whole stack of ports between the
networks.  A much more secure solution is to have the FE server on the
internal network, with ISA Server in the DMZ publishing OWA."

I would imagine it would be sugested to run ISA or some other firewall that will do application proxy.  Something to scan the traffic on IMAP, SMTP, POP before passing on to the mailserver.

Thanks for your references!

davisAuthor Commented:
OOps - meant to Accept the one just above the one I actually accepted.

I found it much more concise and useful
:o) Glad I could help you - thank you for the points
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.